Target Hackers Had Detailed System Information

Analysis of the Target breach which involved the infection of point-of-sale (POS) terminals with a variant of Kaptoxa/BlackPOS malware indicates that the attackers had “intimate” knowledge of the retail giant’s network, and used that knowledge to customize the malicious code for optimal performance, according to a new report.

“We know that although the Target malware was based on BlackPOS, several customizations allowed specific behavior within Target’s environment,” investigators familiar with the case reported. “Details regarding Active Directory domain names, user accounts, and IP addresses of SMB shares were hardcoded into scripts that were dropped by some of the malware components.”

The memory-scraping malicious agent employed in the attacks has been available on underground criminal forums under the name of “BlackPOS” since at least the middle of last year for a fee of $1,800 for the basic version and $2,300 for the full version. The malware can allegedly circumvent network firewalls, and once present on POS systems, can harvest credit card information in real time as cards are used for purchases.

The Federal Bureau of Investigation issued an advisory to retailers in January warning that the “memory-parsing” malware used in the Target breach has been connected to some 20 other hacking cases in the past year, though not all of the breaches have been made public. It is known that Neiman Marcus, White Lodging, Harbor Freight Tools, Easton-Bell Sports, and Michaels Store all suffered breaches involving BlackPOS in 2013.

The malware used in all of these attacks is in and of itself not very sophisticated, and it may be that the extensive inside information the attackers used to optimize it’s performance was the key to the successful breach, which exposed account details of more than 100 million customers at Target alone.

“The BlackPOS malware family is an ‘off-the-shelf’ exploit kit for sale that can easily be modified and redistributed with little programming skill or knowledge of malware functionality,” the investigators continued. “BlackPOS source code has also been leaked multiple times. Just as we have seen with Zeus/Citadel, Gh0st, Poison Ivy, or many other leaked kits, anyone can employ, modify, and use them for their purpose.”